Solved: 1: the only way to prevent

AnthonyTsang · ‎06-11-2015

We are facing some auditing issue on Netbackup KMS. I hope that anyone would like to help Except using passphrase to regenerate those KMS_HMKF.dat, KMS_KPKF.dat and KMS_DATA.dat file, 1)How to prevent/protect those KMS files was accessed / copied by someone especially for administrators. Default those 3 files were granted local system with Full permission and local administrators group with Modify and special permission Can i aborted administrators to access those files ? any impact behind.

Nicolai · ‎06-11-2015

1: the only way to prevent someone copying these files, is to prevent staff from having access to those files. E.g only allow staff to manage NBU thru a GUI or deploy NBAC on the server (users being normal domain users). If all staff has administrator right its almost impossible to prevent access, because all barriers can be disabled by admin.

But that said - A Netbackup admin can restore all data anyway - data encrypted or not so whats the worries by the auditors ?

Please also notice: if pass phases is know - every NBU admin can re-create the encryption keys needed. This is one of the reasons whay NBAC has a special KMS admin role separate from the normal NBU admin.

View solution in original post

Nicolai · ‎06-11-2015

1: the only way to prevent someone copying these files, is to prevent staff from having access to those files. E.g only allow staff to manage NBU thru a GUI or deploy NBAC on the server (users being normal domain users). If all staff has administrator right its almost impossible to prevent access, because all barriers can be disabled by admin.

But that said - A Netbackup admin can restore all data anyway - data encrypted or not so whats the worries by the auditors ?

Please also notice: if pass phases is know - every NBU admin can re-create the encryption keys needed. This is one of the reasons whay NBAC has a special KMS admin role separate from the normal NBU admin.

VOX

Netbackup KMS security setting